防止多提交PHP [英] Prevent multi submit PHP

问题描述

我正在寻找一种防止多表单提交的方法.我有一个表单，例如 chat.php 及其对不同文件的 POST 操作，例如 submitter.php.

I am seeking a way to prevent multi form submit. I have a form, for example chat.php and its POST action on different file, eg submitter.php.

我已尝试使用 $_SESSION 使用唯一令牌实现解决方案.chat 有一个唯一的 $_SESSION[token] 并且提交者有 if $_POST[token]==$_SESSION[token]我的问题是，如果我打开了多个窗口，它就不起作用.猜猜该应用程序是一个聊天脚本，用户可以在其中在多个窗口上聊天，例如 chat.php?user=5、chat.php?user=10 等)

I've tried to implement the solution with the unique token using $_SESSION. chat had a unique $_SESSION[token] and submitter had the if $_POST[token]==$_SESSION[token] My problem is that it didn't work if I had multiple windows opened. Guess the application is a chat script where users can chat on multiple windows, like chat.php?user=5, chat.php?user=10 etc)

如果用户打开了一个窗口，那就完美了.

If users had one window opened, that worked perfectly.

有什么想法吗?

按要求编码....

chat.php

$_SESSION['token'] = md5(session_id() . microtime());

提交者.php

if($_POST['submg'] == "1") {
    if ($_POST['token'] == $_SESSION['token']) {
     // do stuff
    }
    unset($_SESSION['token']);
}

推荐答案

$_SESSION 将在一台机器上所有打开的浏览器窗口中共享.因此，如果您打开 Firefox 并登录，您打开的每个其他 Firefox 窗口也会登录到该服务.您可能想要的是页面中的令牌，它与每个请求一起提交(很像 CSRF 令牌)，该令牌对于页面的实例来说是唯一的.然后，$_SESSION 变量和令牌的组合可用于识别特定会话中的特定浏览器.

$_SESSION is going to be shared across all open browser windows on a machine. So, if you opened up Firefox, and logged in, every other Firefox window you have open is also logged into that service. What you likely want is a token in the page that gets submitted along with each request (much like a CSRF token) that is unique to the instance of the page. Then, a combination of the $_SESSION variable and the token can be used to identify a particular browser within a particular session.

下面的例子.

<?php
session_start();
$instance = null;

if (! array_key_exists('token', $_SESSION)) {
    $_SESSION['token'] = md5(time() . 'salt value');
}

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $instance = $_POST['instance'];
} else {
    $instance = md5(time() . 'some other salt value');
}
?>
<p>You are session <?php echo $_SESSION['token']; ?>, instance <?php echo $instance; ?></p>
<form method="POST" action="">
    <button type="submit" name="instance" value="<?php echo $instance; ?>">Submit</button>
</form>

您可以做的另一件事是使用加密或单向散列来屏蔽用户名.因此，您可以传递一个加密的用户名作为您的实例"字段，然后在后端(使用会话令牌和实例)对其进行解密，以确定哪个用户正在向服务器发送消息.

One other thing you could do is use encryption or one-way hashing in order to mask, say, a username. So you would pass an encrypted username as your "instance" field, and then decrypt it on the back end (using the session token and instance) to figure out which user is sending a message to the server.

不过，基本上，这滥用了 PHP 会话的概念.PHP 会话适用于浏览器，而不是浏览器选项卡/窗口.

Basically, though, this abuses the concept of PHP sessions. A PHP session is for a browser, not a browser tab/window.

这篇关于防止多提交PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！